CVE-2025-54800 – This is a stored cross-site scripting (XSS) vul... (How to Fix)

Q: What is the severity of CVE-2025-54800?

CVE-2025-54800 has a CVSS score of 6.1 (MEDIUM). This is a stored cross-site scripting (XSS) vulnerability in Hydra CI service where malicious packages can inject JavaScript into the database. The injected code automatically executes in users' browsers when they visit build pages. Anyone using Hydra to build untrusted packages is affected.

📋 TL;DR

This is a stored cross-site scripting (XSS) vulnerability in Hydra CI service where malicious packages can inject JavaScript into the database. The injected code automatically executes in users' browsers when they visit build pages. Anyone using Hydra to build untrusted packages is affected.

💻 Affected Systems

Products:

Hydra CI service

Versions: All versions prior to commit dea1e168f590efb27db32dbacc82b09e15f8ae4b

Operating Systems: Any OS running Hydra

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when building packages that can inject JavaScript into build metadata.

📦 What is this software?

Hydra by Nixos

View all CVEs affecting Hydra →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through client-side attacks.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of authenticated users visiting build pages.

🟢

If Mitigated

Limited impact with proper content security policies and input validation, though the vulnerability still exists.

🌐 Internet-Facing: HIGH if Hydra instance is publicly accessible and builds untrusted packages.

🏢 Internal Only: MEDIUM as internal attackers or compromised packages could still exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to submit malicious packages to Hydra build system, but once injected, exploitation is automatic when users visit affected pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit dea1e168f590efb27db32dbacc82b09e15f8ae4b or later

Vendor Advisory: https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99

Restart Required: No

Instructions:

1. Update Hydra to commit dea1e168f590efb27db32dbacc82b09e15f8ae4b or later. 2. Apply the patch that properly escapes JavaScript in build metadata. 3. No service restart required for the patch to take effect.

🔧 Temporary Workarounds

Avoid building untrusted packages

all

Only build trusted packages in Hydra to prevent malicious JavaScript injection

Restrict access to build pages

all

Limit who can view build pages to reduce attack surface

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
Deploy web application firewall (WAF) rules to detect and block XSS payloads in build metadata

🔍 How to Verify

Check if Vulnerable:

Check Hydra version/commit hash against vulnerable versions. Test by attempting to inject JavaScript via package build metadata and observing if it executes in browser.

Check Version:

Check Hydra commit hash in deployment or run appropriate version command for your installation method

Verify Fix Applied:

Verify Hydra is running commit dea1e168f590efb27db32dbacc82b09e15f8ae4b or later. Test that JavaScript injection in build metadata no longer executes in browser.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript patterns in build metadata logs
Multiple failed attempts to inject script tags

Network Indicators:

Unexpected external JavaScript loading from build pages
Suspicious outbound connections from Hydra interface

SIEM Query:

Search for patterns like '<script>', 'javascript:', or eval() in Hydra build metadata fields

📊 Metadata

CVE ID: CVE-2025-54800

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (6.2th percentile)

Published: August 12, 2025

Last Updated: September 22, 2025

🔗 References

https://github.com/NixOS/hydra/commit/dea1e168f590efb27db32dbacc82b09e15f8ae4b Patch
https://github.com/NixOS/hydra/security/advisories/GHSA-7qwg-q53v-vh99 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54800, you might also want to check these: